Despite dependency and data protection risks: Authorities go to Microsoft cloud
Microsoft 365 was once avoided by public authorities due to data concerns. Now, six federal states aim to use it with specially negotiated terms.
(Image: StockStudio/Shutterstock.com)
Germany's largest public authority was the first to do so: "The Federal Employment Agency is introducing Microsoft Teams", announced Stefan Latuski, the Chief Information Officer (CIO) of the federal authority with over 100,000 employees, on LinkedIn in December 2023, garnished with a laughing emoji. Preparations for the rollout were made in just 21 weeks, which was "absolutely record time".
However, Peter Neuhauser, Head of IT Security at the employment agency's internal IT service provider, was not in the mood to cheer. "This is a sad day for us, which makes our already difficult job even more difficult," he commented under the article.
The disagreement between the CIO of the employment agency and one of his most important employees is exemplary of a discussion that is currently being passionately conducted in many German ministries and authorities: Should the state also use Microsoft's cloud services, which have long been standard in most companies? Or should public authorities do without Teams and Microsoft 365 in order to better protect their data and not increase their dependence on the US company?
A survey conducted by c't among the 16 state governments now shows that the proponents of the Microsoft cloud are slowly gaining the upper hand: At least six federal states want to introduce Teams or the complete Microsoft 365 cloud office package in their administration.
(Image:Â Christina Czybik / bundesfoto)
The pioneer among the federal states is Lower Saxony, which announced the introduction of Teams back in April. At the beginning of August, c't also reported exclusively that Bavaria is negotiating a contract with Microsoft for the use of 365.
According to the results of the c't survey, North Rhine-Westphalia, Bremen, Hamburg and Saarland also are eager to join the Microsoft cloud. In Hamburg, Microsoft 365 should be available at 8,000 to 10,000 administrative workstations "with normal protection requirements" by the end of the year, explained a Senate spokesperson. They are also working on measures that would make it possible to introduce it in the police and social services, for example. North Rhine-Westphalia is planning a "technical pilot" of Microsoft 365 for the first quarter of 2025, while Bremen is planning to introduce the cloud package in October 2025. Saarland is currently preparing the "final release" of Teams, while other Microsoft 365 services are "under consideration".
Pro ...
One of the arguments put forward by cloud proponents is that Microsoft will only offer its Office package from the cloud in the future. According to current planning, support for the classic MS Office 2024 will end in 2029.
Lower Saxony's state CIO Horst Baier emphasizes the pressure to innovate: "The use of automatically provided applications and resources, support for IT security from the cloud and, finally, the path to using artificial intelligence is imperative," he said in April. In-house IT operations "cannot fully cover" such requirements. In the long term, cloud services will also be cheaper, he predicted. "IT from the socket should be purchased as far as possible."
... and against the cloud
However, some experts believe that IT from the Microsoft socket is risky. When it comes to cybersecurity, there have been demonstrably dangerous shortcomings at the US company, says Dennis-Kenji Kipker, Professor of IT Security Law at Bremen University of Applied Sciences, to c't. He refers to the stolen master key for Microsoft's Azure cloud, which Chinese hackers allegedly used to access the Exchange accounts of US authorities, among others. The US Cybersecurity Agency subsequently certified that Microsoft had made a "cascade of avoidable mistakes".
Videos by heise
In addition, dependence on Microsoft is economically disadvantageous, warns Kipker. The US company can exploit its market power with high prices. It is no coincidence that the German Federal Cartel Office recently placed Microsoft under closer scrutiny. "Against the backdrop of these facts, it seems downright negligent when a large state like Lower Saxony emphasizes that it wants to rely on 'IT from the socket' in the future," concludes the professor.
Many data protection experts are also critical of the move to the Microsoft cloud. In November 2022, the federal and state data protection commissioners determined that the services could not be used in compliance with data protection regulations under Microsoft's standard rules at the time. "The data protection addendum has been updated several times since then, but without being able to dispel the points of criticism," explains a spokesperson for the Federal Commissioner for Data Protection.
Special contracts with Microsoft
Meanwhile, however, at least major customers can negotiate special data protection conditions with Microsoft. The Federal Employment Agency and the state of Lower Saxony, among others, have taken this route. The Lower Saxony State Data Protection Commissioner had previously formulated conditions. Although he considers the result of the negotiations between the Group and the state government to be in need of improvement in some areas, it is "acceptable" overall.
The special rules that Lower Saxony negotiated with Microsoft include, for example, a commitment by the company to only store and process the data on European servers. Support is only to be provided from countries from which companies can work with Microsoft in compliance with the GDPR according to the current situation.
The administration also wants to protect its data with its own technical and organizational measures. The Ministry of the Interior of Lower Saxony cites the deactivation of diagnostic data and Teams Analytics as examples. The Federal Employment Agency has prohibited its employees from processing social data, such as data from the unemployed, on Teams. However, the agency has not ruled out the possibility of this changing in the future.
Not all ministries and authorities consult the data protection authority responsible for them before negotiating with Microsoft. A spokesperson for the North Rhine-Westphalian state data protection commissioner told c't that they had "not yet been specifically involved" in the state government's plans.
In principle, the data protection officers have little to gain from this issue: Firstly, they cannot force the authorities to involve them at all. If the authorities violate data protection rules from their point of view, they cannot impose fines, unlike companies.
But it's not just data protectionists who are critical of the move to the Microsoft cloud: the six federal states are also annoying the German government with their decision. The latter is working on an alternative solution for the cloud future: it does not want to book Microsoft 365 directly with Microsoft, but with the SAP subsidiary Delos. The latter plans to offer the entire range of Microsoft cloud services from its own data centers.
With the Delos cloud, the German government wants to avoid the disadvantages of the public cloud, where both software and infrastructure are booked from a third-party provider. Microsoft is only to supply Delos with the software and updates and therefore has no legal right to access data. Delos is also intended to buy the German government time in case, for example, a re-elected US President Donald Trump blackmails Germany with tech sanctions. Delos promises that the cloud can continue to run independently for at least a few months, even without updates.
Countries versus Scholz
The Delos cloud is not only intended for the federal government, but for the entire German administration, including the federal states and local authorities. The more authorities that order, the cheaper it can ultimately be for the individual. However, the interest of the federal states in Delos has so far been so low that Federal Chancellor Olaf Scholz personally and emphatically promoted it to the minister-presidents in the summer: he would "sign a contract immediately", he emphasized according to Handelsblatt.
In the c't survey, however, the state governments remain cautious about Delos. As the costs and scope of services are not yet known, it is not yet possible to assess the offer, they said more or less verbatim.
It is unlikely that countries that have already opted for Microsoft's standard cloud will switch to Delos at a later date. After all, they have to pay more for the same services with Delos. "In comparison, the normal, public Microsoft cloud will be cheaper because the administration's requirements mean a considerable amount of additional work," the then Delos CEO Georges Welz told c't in 2023.
Some federal states are still waiting. According to the state government of Baden-WĂĽrttemberg, it will probably be possible to license the on-premise products used until October 2029. They therefore "currently see no need to use Microsoft public cloud services. This approach supports the state's sovereignty interests." It is assumed that the Delos cloud will be available as an alternative by then. At the same time, the development of openDesk is being followed "with interest".
openDesk is a suite of open-source office apps such as Open-XChange, Nextcloud and Collabora Office. The development of this Microsoft 365 alternative is being coordinated by the "Center for Digital Sovereignty", which was founded and funded by the German government.
Open source neglected
So far, only two federal states have opted for open source in the office sector: Schleswig-Holstein and Thuringia. Schleswig-Holstein has already decided to switch from Microsoft Office to LibreOffice on the approximately 30,000 computers used by the state's employees. The state government is also investigating applications such as Nextcloud and Open-Xchange. Thuringia is currently working on a cloud infrastructure "as a basis for services such as openDesk, Nextcloud, OpenTalk etc.", according to a government spokesperson.
Overall, interest in open source in politics is therefore rather low. "Perhaps the picture would be different today if the federal government hadn't slowed down the development of openDesk so much in recent years," says Anke Domscheit-Berg, digital expert for the Left Party in the Bundestag. She points out that the federal government has cut funding for the Center for Digital Sovereignty from 50 million euros in 2023 to less than 25 million euros in the current year. "And next year, they are even to be cut to less than 3 million euros."
At the same time, the federal government is delaying the inclusion of federal states in the Centre's group of shareholders, criticized Domscheit-Berg. "These are disastrous strategic mistakes, the after-effects of which will be felt for a long time to come in terms of information security and the amount of money spent on proprietary software licenses."
(cwo)
